Getting 'ERR_TOO_MANY_REDIRECTS' in browser when trying to access Wordpress website with Nginx

I'm trying to deploy a simple Wordpress website with Nginx as reverse proxy but right after I installed SSl (Let's Encrypto Certbot), I can no longer access the default wordpress install page, instead I'm getting browser's 'ERR_TOO_MANY_REDIRECTS'.

The Nginx config is set up to redirect all traffic from http to https and also from non-www to www.

Here's how the config file looks like:

upstream site1-php-handler {
        server unix:/var/run/php/php-fpm.sock;
}

server {

        server_name example.com;
        return 301 https://www.example.com$request_uri;



    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}

server {

        root /var/www/html/example.com;
        server_name www.example.com;
        index index.php index.html;

        location / {
                try_files $uri $uri/ /index.php?$args;
        }

        location ~ \.php$ {
                include snippets/fastcgi-php.conf;
                fastcgi_pass site1-php-handler;
        }

        access_log /var/log/nginx/example_access.log;
        error_log /var/log/nginx/example_error.log;


    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}

server {
    if ($host = example.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot

    server_name example.com;
    listen 80;
    return 404; # managed by Certbot
}

server {
    if ($host = www.example.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot

    server_name www.example.com;
    listen 80;
    return 404; # managed by Certbot
}

What am I doing wrong here?

That config looks fine for redirects. Did you restart nginx after making these changes? Sometimes just a reload is not enough after changing listeners

4 Likes

Yes I never reload, I always restart. And did it couple of time.

I can't do much more evaluation without the actual domain name.

The only thing I'd suggest is to do a sudo nginx -T and evaluate the output to be sure it's only what you show above.

4 Likes

Yes, that shows exact server blocks as well as other server blocks from my other active apps.

May I message you the domain?

1 Like

Maybe. Just click my name and see if it has Message button. Sometimes new people can't do such things though.

Domain names are not secret. They appear in public certificate logs (see crt.sh website) and DNS system.

4 Likes

Nah I know how to do that. I was just taking your permission.

And I don't want to expose the domain here as I haven't set up the wordpress yet. Someone getting hand to the first wordpress setup might set it up on their own. Don't want to go with the hassle of removing my app and doing everything all over agian.

Check inbox.

2 Likes

Oh, you are behind Cloudflare CDN. Check the redirect settings you have there. It looks like you are redirecting https to themselves. Usually only http to https redirects are done there but you have that setup nice in nginx so maybe don't need any redirects in Cloudflare

@azakero
Example post with good tips
https://support.cloudflare.com/hc/en-us/articles/115000219871-Troubleshooting-redirect-loop-errors-

5 Likes

Hey it was set to default settings. But then I have another website there in CF and followed its settings and enabled http to https. And now it's working. Weird.

Would that be a problem?

Not sure what your concern is. If you want more info about Cloudflare configs it's best to ask on their forums.

I don't see a redirect loop anymore so seems fine to me. Not really a Let's Encrypt problem I just volunteered to help anyway :slight_smile:

3 Likes

If you have gotten a public certificate issued, your domain has already been exposed as all publicly trusted certificates are required to be submitted to multiple certificate transparancy logs, which are also public. This is actually a common and known attack vector: scriptkiddies are using certificate transparancy logs to check for improperly configured sites, such as Wordpress sites not yet set up.

As you already have a certificate issued, your site is already at risk!

3 Likes

Yeah that's what I was asking if there is any redirect loop. But thank you for helping me. It means a lot. Prayers for you mate.

2 Likes

Oh damn. But as soon as I had access to the wordpress page, I set it up right away. I guess it won't be an issue now. But ey thanks for the info. Learnt a new thing today. :smiley:

1 Like

@MikeMcQ however, I had a question, a noob one though lol. Now that CF's redirect is enabled from http to https, do I remove all those Certbot certificates and if blocks from my config above?

You should, IMO, at least check the webserver log files for access attempts from malicious scripts. That said, such things are outside of the scope of this Community.

3 Likes

Just checked it. Everything looks fine. Thank you.

2 Likes

You need certs for HTTPS connections between the Cloudflare CDN Edge and your origin server.

As for the HTTP server blocks (port 80), I would leave them as is. Cloudflare may not use them (as currently configured) but I'm not sure if certbot will like them omitted. They might also be handy if you change your mind about Cloudflare CDN or its config.

Another option is to use the Cloudflare Origin CA. If you are committed to using CF CDN you could eliminate certbot and Let's Encrypt certs for your origin server. You can read more about that at Cloudflare (below). It's a tradeoff between simplicity and flexibility, mostly.

3 Likes

Thanks for the explanation mate. It's much clearer now. Thank you again.

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.